UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258159 RHEL-09-653050 SV-258159r971542_rule Medium
Description
If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
STIG Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide 2024-06-04

Details

Check Text ( C-61900r926462_chk )
Verify that RHEL 9 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:

$ sudo grep admin_space_left_action /etc/audit/auditd.conf

admin_space_left_action = single

If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO).

If there is no evidence that real-time alerts are configured on the system, this is a finding.
Fix Text (F-61824r926463_fix)
Configure "auditd" service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:

admin_space_left_action = single

The audit daemon must be restarted for changes to take effect.